// For flags

CVE-2022-36022

Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here.

Deeplearning4J es un conjunto de herramientas para implementar y entrenar modelos de aprendizaje profundo utilizando JVM. Los paquetes org.deeplearning4j:dl4j-examples y org.deeplearning4j:platform-tests hasta la versión 1.0.0-M2.1 pueden usar algunos depósitos S3 no reclamados en las pruebas de los ejemplos. Es probable que esto afecte a las personas que usan algunos ejemplos de PNL más antiguos que hacen referencia a un antiguo depósito de S3. El problema ha sido solucionado. Los usuarios deben actualizar a instantáneas ya que Deeplearning4J planea publicar una versión con la solución en una fecha posterior. Como workaround, descargue un vector de noticias de Google en word2vec desde una nueva fuente usando git lfs desde aquí.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-11-10 CVE Published
  • 2024-04-22 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-330: Use of Insufficiently Random Values
  • CWE-344: Use of Invariant Value in Dynamically Changing Context
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 < 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version " < 1.0.0"
-
Affected
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version "1.0.0"
beta5
Affected
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version "1.0.0"
beta6
Affected
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version "1.0.0"
beta7
Affected
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version "1.0.0"
milestone1
Affected
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version "1.0.0"
milestone1.1
Affected
Eclipse
Search vendor "Eclipse"
 Deeplearning4j
Search vendor "Eclipse" for product "Deeplearning4j"
 1.0.0
Search vendor "Eclipse" for product "Deeplearning4j" and version "1.0.0"
milestone2
Affected